topic Re: Public IP Behind PaloAlto in General Topics

Public IP Behind PaloAlto

pdvpanetworks — Tue, 09 Sep 2014 15:14:53 GMT

We have a /24 public IP network where some of the IPs will not NAT and some will NAT. For the scenario were there will be no NAT, the host behind the PaloAlto will have a public IP assigned to the NIC. Under what scenario would I break up the /24 into smaller subnets or leave the subnet as a large /24. This is for a pa-500 in Layer 3 configuration, where there is a separate public /29 that is assigned to the PaloAlto, the /24 is routed to an IP on the public /29.

Thanks,

Dan

Re: Public IP Behind PaloAlto

hshah — Tue, 09 Sep 2014 16:13:03 GMT

Hi Pdv,

Make sure you havent used subnet mask in NAT policy, Normally it should be /32 mask in NAT policy. If its bigger sometimes it cause problem.

Regards,

Hardik Shah

Re: Public IP Behind PaloAlto

dburns — Wed, 10 Sep 2014 14:27:47 GMT

You should be able to configure the /24 directly on an L3 interface and DNAT any of the IPs in that space to private IPs addresses in other zones.

eg.

Untrust 11.11.11.11/29 dmz1 22.22.22.1/24 dmz2 192.168.1.1/24

DNAT rule would read Untrust -> dmz1 -> DstIP 22.22.22.2 -> DNAT IP 192.168.1.2

Your security rule would read: Untrust -> dmz2 -> DstIP 192.168.1.2

Just make sure not to use the 22.22.22.2 address in your DMZ1 zone (;

Dominic

Re: Public IP Behind PaloAlto

pdvpanetworks — Wed, 10 Sep 2014 18:37:48 GMT

dburns,

Your scenario allows the /24 with NAT, what about NAT and where a server inside the PA has an IP from the same /24, no NAT? Any issue there?

Re: Public IP Behind PaloAlto

dburns — Wed, 10 Sep 2014 18:50:25 GMT

No issue. The only issue would be if you were trying to configure one of machines with a public IP address which had a DNAT configured for it. That would not work the DNAT would be applied and the machine would not be reachable from the outside.

Dominic

Re: Public IP Behind PaloAlto

pdvpanetworks — Wed, 10 Sep 2014 19:11:53 GMT

dburns,

Thanks. I notice you are possibly in San Diego. Can I buy you a cup of coffee? As I'm new to PA gear.

Re: Public IP Behind PaloAlto

pdvpanetworks — Thu, 25 Sep 2014 21:01:36 GMT

dburns,

Any reason to not make these all in a VLAN? See this pic. As show in the this PA Doc. securing Inter VLAN traffic. I don't need to router between VLANs, necessarily, but breaking up the /24 into smaller subnets, as shown in that pic, makes security of the networks and management simpler on the switch.